Configuring Single Sign-On for the SAP HANA Cockpit

This guide provides detailed instructions on how to set up Single Sign-On user authentication for a resource through the cockpit. Enabling Single Sign-On allows a a cockpit user to log on to a resource without being prompted for database user credentials.

Note that SSO is only possible for the following SAP HANA monitored resources:
  • SAP HANA 1.0 SPS 12 revision 14 or later
  • SAP HANA 2.0 SPS 01 or later

Enabling Single Sign-On

Prerequisites

  1. You already have a database user with the CATALOG READ, TRUST ADMIN, CERTIFICATE ADMIN, and USER ADMIN privileges granted to it. 
      • In this guide, the username for the example database user is "SSO_USER". You can choose a different username if desired. 
      • To assign the necessary system privileges to an existing user, you can execute the following SQL statements:
          • GRANT TRUST ADMIN TO TESTUSER; 
          • GRANT CERTIFICATE ADMIN TO TESTUSER;
          • GRANT USER ADMIN TO TESTUSER;
          • GRANT CATALOG READ TO TESTUSER;
      • Alternatively, you can also use the UI to assign system privileges to a role, and then assign the role to multiple users. For detailed instructions on how to create a new role through the UI, please refer to the appendix in The SAP HANA Cockpit Security Model
  2. You already have a cockpit user with the Cockpit User Role role assigned to it. 
        • In this guide, the username for the example database user is "COCKPIT_USER". You can choose a different username if desired. 
      • For a detailed guide of how to create a cockpit user, please refer to the Creating a New Cockpit User section in The SAP HANA Cockpit Security Model article.
  3. You already have a database user with the USER ADMIN system privilege 
      • The username for this user is irrelevant to the two other users in prerequisite #1 and prerequisite #2. 
      • In this guide, this username for this database user is "USER_ADMIN". You can choose a different username if desired. 

Procedure

Step 1) From the Cockpit Manager home page, click on Registered Resources tab to see your list of registered resources.
Step 2) Select the resource you want to enable SSO for and click the Edit button to edit the details.
      • Note: SSO can only be setup with a previously registered resource.
          • If you want to setup SSO for a resource you have not previously registered in the cockpit, simply register the resource first, and then click edit after. It is currently not possible to enable SSO during the initial registration of a resource.
Step 3) Enable SSO by clicking the Yes radio button and entering the credentials of a user with the CATALOG READ, TRUST ADMIN, CERTIFICATE ADMIN, and USER ADMIN privileges granted to it. 
Step 4) Click the Save button to save you changes. Exit the Cockpit Manager and navigate to the cockpit.
Step 5) Login to the database as a user with the USER ADMIN system privilege assigned to it (in this example, it is USER_ADMIN),
Step 6) On the Overview page, click the Manage Users link, and select the user from prerequisite #1 (In this example, it is the SSO_USER)

Step 7) To set the JWT mappings, check the checkbox beside "JWT - You must add at least one identity provider" and then click the Add JWT Identity button. Choose one from the Identity Provider drop-down (it's either XSA_APPLICATIONUSER or starts with the name "XS_JWT_XSA_") and turn the Automatic Mapping by Provider off.
Finally, enter the username of the existing cockpit user from prerequisite #2 in the External Identity and click the Save button. 

Step 8)  Log out of cockpit and login as the cockpit user from prerequisite #2. 

Step 9) Go to resources directory and click Choose Authentication. Ensure that the Log on via single sign on radio button is enabled and click Ok. 
Step 10) Click on the resource name to log in. Notice how you are logged into the database as the the user from prerequisite #1 without any prompt for credentials. 

Enforcing Single Sign-On

Enforcing Single Sign-On for a resource removes the option of allowing users to choose between logging on with SSO or logging on with the credentials of a different database user. Instead, users will only be able to log in to a database with SSO. 

Prerequisites

SSO is already enabled for your resource and you have already completed all the steps in the above section. Do NOT enforce SSO until after you have set the JWT mappings for your database user.

Procedure

Step 1) Log into your Cockpit Manager and from the home page, click on the Registered Resources tab. Select the resource you want to enforce SSO  and click the Edit button in the Resource details page. Select the Yes radio button for the Enforce SSO option. 
Step 2) Enter the credentials of the same user that you used to enable SSO. Click the OK button when you are done. 
Step 3) Exit the Cockpit Manager and log in to the cockpit.
Click on the Resources Directory link to see a list of resources that you have access to. Notice that the resource that you enforced SSO for now says "SSO enforced" in the Credentials column. You can now only access the database if you are the cockpit user from prerequisite #2. 
Blogger
Disqus

No comments